With Sonata, I'm trying to use the role based security.
I want to give a group, rights for listing, editing & creating users, so I created a role with
ROLE_MANAGE_USERS:
- ROLE_SONATA_USER_ADMIN_USER_EDIT
- ROLE_SONATA_USER_ADMIN_USER_LIST
- ROLE_SONATA_USER_ADMIN_USER_CREATE
This works fine, but according to the doc, I'm understanding that a user granted with
ROLE_SONATA_USER_STAFF
Should already inherit rights for [EDIT, LIST, CREATE], but that does not seem to be the case
I also tried with
ROLE_SONATA_USER_ADMIN_USER_STAFF
Is there something I misunderstood ?
I guess that's not the case. First of all, the name of the main roles for edit depends on the services names. For example, if the service of the admin is sonata.user.admin, then the roles will be, for example:
ROLE_SONATA_USER_ADMIN_LIST
ROLE_SONATA_USER_ADMIN_VIEW
As you can see, the prefix is always ROLE (symfony 2 requirement), followed by the service name (but having the dots exchanged with underscores, and all capital letters), and ended with the prefix for the specific permission:
LIST: view the list of objects
VIEW: view the detail of one object
CREATE: create a new object
EDIT: update an existing object
DELETE: delete an existing object
EXPORT: (for the native Sonata export links)
As I can understand, there is no ROLE_SONATA_USER_STAFF predefined for edit, list and create. However, you can define it in the hierarchy, in the security.yml file:
security:
role_hierarchy:
# Setting up
ROLE_SONATA_USER_STAFF:
- ROLE_SONATA_USER_ADMIN_EDIT
- ROLE_SONATA_USER_ADMIN_LIST
- ROLE_SONATA_USER_ADMIN_CREATE
# using the staff role to create new roles
ROLE_MANAGE_USERS: [ROLE_SONATA_USER_STAFF]
Related
I need guidance in below situation -
I am migrating RHDS to openLDAP. I managed to convert the DIT and their attributes and Schemas. However, I am stuck at Access control.
In RHDS, currently, the access control is as below -
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (target = ldap:///uid=*,ou=household,dc=example,dc=com) (targetattr="*") (version 3.0; acl "Household Itms Consumer subtree read - aci"; allow (read, compare, search) (userdn = "ldap:///*,ou=applications,dc=example,dc=com") ;);
Could some please guide me in creating the OLC LDIF format?
Access control is not part of the LDAPv3 standard and thus attribute aci is specific to RHDS and similar implementations.
You have to define new ACLs for your OpenLDAP setup.
I'd recommend to read the following docs:
OpenLDAP Admin Guide -- Access control
slapd.access(5)
FAQ-O-MATIC: Access Control
FAQ-O-MATIC: Sets in Access Control
I configured liferay-portal-6.2-ce-ga4 with OpenLDAP. Users are imported into OpenLDAP from liferay. But User group of liferay are not exported into OpenLDAP. Here is my portal-ext.properties:
ldap.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.server.name=ldapadmin
ldap.auth.enabled=true
ldap.import.enabled=true
ldap.export.enabled=true
ldap.import.on.startup=true
ldap.export.on.startup=true
ldap.export.method.0=group
ldap.export.method.0=user
ldap.password.policy.enabled=true
ldap.base.provider.url.0=ldap://localhost:389
ldap.base.dn.0=dc=test,dc=com
ldap.security.principal.0=cn=admin,dc=test,dc=com
ldap.security.credentials.0=secret
ldap.auth.search.filter.0=(mail=#email_address#)
ldap.import.user.search.filter.0=(objectClass=inetOrgPerson)
ldap.user.mappings.0=userId=uid\nscreenName=cn\nemailAddress=mail\npassword=userPassword\nfirstName=givenName\nlastName=sn
ldap.import.group.search.filter.0=(objectClass=posixGroup)
ldap.group.mappings.0=groupName=cn\ndescription=description\nuser=memberUid
ldap.users.dn.0=ou=people,dc=test,dc=com
ldap.groups.dn.0=ou=groups,dc=test,dc=com
ldap.user.default.object.classes.0=inetOrgPerson, top
ldap.group.default.object.classes.0=posixGroup, top, groupOfUniqueNames,organizationalUnit
I have checked by clicking on 'Test LDAP Groups' button I can see around 5 groups which are created in OpenLDAP using OpenLDAP GUI but can't see any group which i create in liferay. Its not exporting User Groups its only exporting users. Please give some solution for this.
I think the keys you use on your portal-ext.properties file are wrong.
In the documentation we can read:
#
# Settings for exporting users from the portal to LDAP. This allows a user
# to modify his first name, last name, etc. in the portal and have that
# change pushed to the LDAP server. This setting is not used unless the
# property "ldap.auth.enabled" is set to true.
#
ldap.export.enabled=false
#
# Set this to true if groups and their associations should be exported from
# the portal to LDAP. This setting is not used unless the property
# "ldap.auth.enabled" is set to true.
#
ldap.export.group.enabled=true
So you should use:
ldap.export.enabled=true
ldap.export.group.enabled=true
I need to add new user roles, such as "TYPO3.Neos:Creator"
Typo3-neos Currently supported roles:"TYPO3.Neos:Editor", "TYPO3.Neos:Administrator". How can I do it?
Not sure, but it seems available roles are not stored in database, but rather are gathered from yaml configuration files (and stored in cache??).
So, add a role in any Policy.yaml file, like:
roles:
'My.Package:CreatorOfDoomRole':
privileges: []
After that you can use the flow CLI command ./flow user:addrole <username> <role> to add a new role to a user (the roles are stored as comma-separated list in table typo3_flow_security_account, field roleidentifiers).
(Some more info about how yaml is cached: "The yaml files are cached, in development context that cache should be purged on every request (and on master that's a bit optimized so they will only be flushed in development context if there was really a change to the yaml). Stored in file: Data/Temporary/Production/Configuration/ProductionConfigurations.php")
If a post has been made to /user, and my data model says that ever user must have a group, how, after successfully creating a user, would I trigger a new group to be created in sails.js? For that matter, how can I get into another controller from a lifecycle callback like afterCreate or via other means?
You cannot call a controller inside a model, that would violate MVC pattern. You can create the group via
Group.create(obj)
or put your creation logic inside a service.
It sounds like you might be confusing models and controllers, which is easy to do if you're new to Sails because of the blueprints functionality it provides. That is to say: you don't need GroupController to create a Group model instances, and GroupController.create is not the correct way to create a new Group programatically. GroupController.create is a method that's called automatically when you POST to /group because Sails has set up a "blueprint" create action at that location.
The correct way to create a Group programmatically is by using the create method of the Group model class, which is globally available in a Sails app. So in your afterCreate, you could have:
afterCreate: function(values, cb) {
Group.create({user: values.id}).exec(cb);
}
Note that the latest version of Sails (v0.10.0-rc5) supports nested creates, so if you've defined User and Group to be associated with each other, you could just POST something like this to /user:
{
name: "Joe Blow",
age: 25,
group: {
name: "Joe's group"
}
}
and the group will be created and associated with the user automatically. If you POST an embedded Group with a primary key, it will search for an existing group with that key and link it to the new User instead of creating a new Group.
I have a requirement to lock down access to a SharePoint library: Only users that belong to all the groups associated with the library should have read access; others should not be allowed to read.
Let's say I have a document library that concerns three projects:
12345
13579
24680
I have users that belong to one or more projects:
Joe: 12345, 24680
Jane: 13579, 24680
Jim: 24680
Harry: 12345, 13579, 24680
I need to restrict access to this library to only users who belong to ALL projects. I.e., only Harry should have access; the others should be denied. We'd use SharePoint groups named after each project to represent the 'belongs' relationship.
Edited with more detail:
We plan to create the doc lib and set up the initial security via a workflow. However, more projects may be associated with the doclib after it's created, based on info entered in a form, and people can get moved in and out of project groups by admins (e.g. for promotions, new hires....)
For now, if a form submission adds a new project after inital setup, an admin will probably create a new group if necessary, and assign it access to the doclib. Eventually, we'd do this in a workflow.
Currently, we're writing code to assign the initial security state for the site:
We scan a list of projects entered by a user into a form, create new project groups if necessary, create a site and a couple of doclibs, break role inheritance and assign our groups read access to the doclib. We add some users to each project group.
At this point, any of those users have read access. What we don't know how to do is restrict access to only users who are members of all the groups.
You've made it hard on yourself.. SharePoint nor AD works this way, I'd go back to the drawing board because this will only cause pain ;)
I would decouple management of groups and their assignment to document libraries and sync rights throughout SharePoint like Koen mentioned.
e.g. you manage group membership separate from the groups you use to connect them to document libraries. Then you need a process to enumerate over these separate groups and assign the users in there to the document libraries individually according to your business rules. Brittle at best.
You could set your document library to BreakRoleInheritance and set permissions to your items individually.
This is a example:
SPSecurity.RunWithElevatedPrivileges(delegate()
{
using (SPSite site = new SPSite("http://..."))
{
using (SPWeb web = site.OpenWeb())
{
web.AllowUnsafeUpdates = true;
SPRoleType role = SPRoleType.Reader;
SPRoleAssignment assignment =
new SPRoleAssignment(web.Groups["groupname"]);
assignment.RoleDefinitionBindings.Add(
web.RoleDefinitions.GetByType(role));
SPList list = web.Lists["name"];
SPListItemCollection items = list.GetItems(new SPQuery());
foreach (SPListItem item in items)
{
if (!item.HasUniqueRoleAssignments)
item.BreakRoleInheritance(false);
while (item.RoleAssignments.Count != 0) // remove all
item.RoleAssignments.Remove(
item.RoleAssignments.Count - 1);
item.RoleAssignments.Add(assignment);
}
}
}
});
The only way I can think of achieving this is to create a custom timer job that updates your document library every day by deleting all the rights, and then adding them again overnight. That would mean that people who join those projects will have to wait 1 day to get acces. You would just create a collection of all the users of group1, and check for each one if they exist in group 2, 3, ... and if they don't remove them from the collection.